Dear all,
Need some help of all of yours.
I am facing with a problem with after joining an ubuntu PC with Windows server 2003 and its authenticating with the ADS. No problem in that authenticating. But after getting logged in with AD username and password its keep asking me for password for almost everything like get access to a shared dir, access to shared printer, after configuring evolution I can easily can get synchorized with exchange server 2003 but it keeps asking me everytime for password whenever I try to open evolution, when want to even reply a mail, when even try to open a new mail; almost for everything.
What I am trying achieve here is to migrate all my users from windows to linux platform and as a first step authenticating ubuntu7.10 with windows AD was successful. But now this authentication problem is getting in the way.
I followed the steps here for authenticating with windows AD:
https://help.ubuntu.com/community/Ac...ryWinbindHowto.
I also posted it in ubuntu forum but nobody seems to be interested or may be its a dumb question to answer.The link is below:
http://ubuntuforums.org/showthread.php?t=635967
Here are the steps I followed along with above tutorial:
PHP Code:
Ubuntu Users Authentication through ADS
We have to install all the required packages as follows:
samba
samba-common (installed by default)
smbclient (installed by default)
winbind
openssh-server
openssh-client
Kerberos
krb5-config
krb5-user
Configuration Settings on Ubuntu
Verify Kerberos, LDAP, AD, and Winbind support
You will need to check you have support for Kerberos, LDAP, AD, and Winbind.
# smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST
...
# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
...
# smbd -b | grep ADS
WITH_ADS
WITH_ADS
# smbd -b | grep WINBIND
WITH_WINBIND
WITH_WINBIND
If you're missing any of these options, you need to recompile Samba
Configure and Test Kerberos
------------------------------
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IMATION.COM
[realms]
IMATION.COM = {
kdc = ubuntu.imation.com
kdc = kubuntu.imation.com
kdc = edubuntu.imation.com
}
[domain_realm]
.kerberos.server = IMATION.COM
Be sure to use uppercase where applicable as shown above, and when you test the connection with kinit. If you mess up your cases, you will get an error “Cannot find KDC for requested realm while getting initial credentials”.
Test the connection with:
# kinit xp@IMATION.COM
Password for xp@IMATION.COM
Now here xp is the admin user with admin right to join pc to AD.
[root@pc-2165 squid]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: xp@IMATION.COM
Valid starting Expires Service principal
09/30/07 18:44:17 10/01/07 04:44:27 krbtgt/IMATION.COM@IMATION.COM
renew until 10/01/07 04:44:17
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Configure and Test Samba
------------------------
samba.conf
[global]
workgroup = IMATION
realm = IMATION.COM
server string = Linux Web Server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
preferred master = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
[homes]
comment = Home Directories
valid users = %S
read only = yes
browseable = No
Save your changes and run 'testparm' to check for any syntax errors.
# testparm
# /etc/init.d/smb start
Finally, join your Samba machine to Active Directory:
# net ads join -U xp@IMATION.COM
xp@IMATION.COM's password:
Using short domain name -- IMATION
Joined 'SSO-ADS' to realm 'IMATION.COM'
If this works, shut down samba and enable winbind (as below). If not, you'll need to do some troubleshooting.
# ntlm_auth --username=<Any AD username>
you should get this output "NT_STATUS_OK: Success (0x0)"
Enabling Windbind
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
Save your changes, and fire up windbind and Samba:
# service winbind stop
# /etc/init.d/smb start
# service winbind start
Confirm winbindd is running
# pgrep winbindd
You can verify winbind is working with:
# wbinfo -u
# wbinfo -g
Modify the PAM settings:
1) /etc/pam.d/common-account should contain only the following lines
account sufficient pam_winbind.so
account required pam_unix.so
2) /etc/pam.d/common-auth should contain only the following lines
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below
password required pam_unix.so nullok obscure min=4 max=50 md5
4) Make sure the /etc/pam.d/common-session file contains the following line
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
5) Make a directory to hold domain user home directories
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file
mkdir /home/IMATION
Any help will be greatly appreciated.
Thanks in advance.
Asking for authentication even after getting authenticated with ADS
